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Quantum key distribution establishes a secret string of bits between two distant parties. Of 
concern in weak làser pulse schemes is the especially strong photon number splitting attack by an 
eavesdropper, but the decoy state method can detect this attack with current technology, yielding a 
high rate of secret bits. In this Letter, we develop rigorous security statements in the case of finite 
statistics with only a few decoy states, and we present the results of simulations of an experimental 
setup of a decoy state protocol that can be simply realized with current technology. 
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Introduction. Tasks can be performed with quantum 
information processing that arc difïicult or impossible 
by purely classical means. Quantum key distribution 
(QKD) establishes secret keys shared between separated 
parties to enable secure communication, by making use 
of a quantum channel and a públic authenticated clas- 
sical channel. In the BB84 QKD protocol |l| random 
bits are encoded into polarized single-photon signals sent 
between the two parties (traditionally named Alice and 
Bob); a rigorous upper bound on the information gain 
of any potential eavesdropper (Eve) is deduced by mea- 
suring the bit error rate (BER) of the quantum signals. 
This information is then erased by privacy amplification 
0, y i a públic Communications between Alice and Bob 
over the classical channel with universal hashing 0, Ü| , 
producing a shared secret cryptographic key. However, 
in practice, QKD is popularly implemented with highly- 
attenuated weak làser pulse quantum signals, which are 
characterized by a Poissonian photon number probabil- 
ity distribution with mean /i < 1. Thus, with proba- 
bility 1 — e~ M (l + /i) ~ 0(fj, 2 /2), Alice prepares a pulse 
containing more than one photon. Furthcrmore, there 
is typically considerable loss in the Alice-Bob quantum 
channel, amounting to a 10-20 dB attenuation in many 
experiments. An eavesdropper could hypothetically ex- 
ploit this loss, in conjunction with the multi-photon sig- 
nals with very strong attacks such as photon number 
splitting (PNS) .7] , to gain information on the final key, 
unless fi is chosen to be sufficiently small. However, the 
recent invention of the decoy state method @, 0] pro- 
vides a rigorous means to foil this class of attacks with 
/i ~ O(l), elevating the security of weak làser pulse QKD. 

In a PNS attack Eve performs a photon number non- 
demolition measurement to identify Alice's multi-photon 
signals. Eve removes one photon from each multi-photon 
signal and stores it in a quantum memory, while sending 
on the signal's remaining photons to Bob over a lower- 
loss quantum channel. Eve also blocks enough of Alice's 
single-photon signals so that Bob does not notice any 
change in bit rate. Then, when the measurement bases 
are revealed during the sifting stage of the BB84 protocol 
Eve could obtain complete knowledge of the stored pho- 



tons without introducing any statistical disturbance in 
the Alice-Bob quantum Communications With suf- 
ficient loss in the Alice-Bob quantum channel, Eve could 
block all of Alice's single-photon signals and learn the en- 
tire key. However, decoy state protocols allow Alice and 
Bob to thwart the hypothetical PNS attack, and other 
attacks exploiting channel loss and multi-photon signals, 
on weak làser pulse QKD by enabling them to establish 
a lower bound on the fraction of bits in the sifted key 
that originated from Alice as single-photon signals. Pri- 
vacy amplihcation may then be used to obtain a secret 
key, making the conservative assumption that all multi- 
photon signals arc known to Eve. 

In a decoy state protocol, Alice randomly seleets the 
mean photon number of each of her pulses from among a 
set of vàlues between \i\ ow and [ihigh- Each pulse encodes 
a random bit in a random basis of an orthogonal space 
(such as polarization or phase) . Alice and Bob (publicly) 
count the number of detection events (clicks signifying 
that one or more photons were received) for each level. 
If "too many" detections oceur at the high lcvcls and "too 
few" at the low levels, Alice and Bob may suspect they 
are victims of a photon number splitting attack. This is 
made rigorous and shown to be asymptotically efficient 
in 0. Some approaches towards developing a practical 
protocol are presented in 0, • 

The main result of this paper is a security statement 
and protocol for the decoy state method for the case of fi- 
nite samples; it could be incorporated into an experiment 
to get a real-world security measure for a finite-length fi- 
nal secret key. Our approach 0] is to develop security 
statements of the form, "With conhdence 1 — e, Eve's dis- 
tribution over final rn-bit keys has Shannon entropy at 
least m — 1." That is, the a priori probability that Eve 
has less than m — 1 bits of Shannon entropy for the final 
key shared by Alice and Bob is less than e. However, the 
security statement we present here will be limited to the 
number of bits Alice and Bob share from single-photon 
pulses. A complete security statement could then be con- 
structed by integrating the steps of error reconciliation, 
privacy amplification, authentication, and key verifica- 
tion with appropriatc confidcncc lcvcls. 
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Analysis. A signal from Alice with mean photon 
number fi is detected by Bob with probability = 

J2 n >o C n\ w ^ crc the unknowns {y n } represent the 
channel transmission characteristics, with < y n < 1. 
More precisely, y n is the conditional probability that at 
least one photon is detected given that n photons were 
emitted. Now suppose that Alice utilizes M mean photon 
numbers, /lím- For each /ij, Alice's detection 

data (from a beam monitor) provides not only a maxi- 
mum likelihood estimator /Jj 7 but also, more importantly 
for our purposes, a 1 — e confidence interval 

XJ < H < X+ . (1) 

Similarly, for each \ij , Bob's detection data yields a 1 — e 
confidence interval for d fíj . By truncating the infinite 
series of d l·lj after (K+l) terms, with bounds for the 
dropped portion, we obtain 2M inequalitics of the form 

Q<k<K 

We choose K sufficiently large to achieve tight bounds 
(limited only by computational power). We want to con- 
servatively bound the unknowns {^j}j<M and {yk}k<K 
utilizing these 4M inequalities and the 2(K + 1) trivial 
inequalities < yk < 1. Let the closed, bounded region 
in the (M + K + l)-dimensional real vector space defined 
by all AM + 2(K + 1) inequalities be denoted R. Notc 
that the parameters of interest {(J<j}j<M ,{yk}k<K lie in 
R with confidence (1 — e) 2M . The conditional probability 
of a single photon detection conditioned on a detection 
at Bob for a fixed mean photon number is 

P{H,yo,yi,...) = — e _^„ ■ (3) 

Let P m ïn be the minimal value of P over R. Given 
P-min we could find the largest s such that Proò(numbcr 
of received single-photon pulses < s\P m i n ) < £■ The fi- 
nal result is that in the set of all Bob's detections, at 
least s detections came from single-photon pulses with 
confidence (1 — e) 2M+1 . However finding the global min- 
imum of a nonlinear function like P over a complicated 
region like R is difficult. Instead we use a more conser- 
vative value P' min < P m in to calculate s. We use the 
lower bounds for (i and y\ for the numerator of P and we 
use upper bounds for fi and all y n in the denominator of 
P. Plugging all these vàlues into P yields P' min and we 
then use P' min to calculate s, the bound on single-photon 
detections with confidence (1 — e) 2M+1 . 

In the process of incorporating this analysis in a full 
protocol [13|, we would also need to determine the bit 
error rate for the sifted single photons. Let b n be the 
BER for an n-photon pulse prepared by Alice. If every 
làser pulse is well-defined in polarization, then we could 
bound the single-photon BER b\ by calculating upper 



and lower bounds (with confidence level 1 — e) of the 
observed BER Bj = e~ M J J2 n * b n y n for each signal 
strength fXj and solve for the largest possible value of b\ . 

Protocol of possible implementation. For purposes 
of illustration, let us consider an example protocol that 
is well-suited for a free-space QKD scenario. The decoy 
state method works by Alice sending signals at various 
strengths and Bob counting detector clicks. However, 
it is possible to obtain good bounds on the transmission 
rates of single-photon signals versus multi-photon signals 
with a fixed, known làser strength /i, provided that Al- 
ice can fire any number of her làsers simultaneously. In 
the following protocol, we consider Alice's setup to con- 
tain four identieal làsers, each producing a weak coherent 
pulse with a distinct polarization (e.g., vertical, horizon- 
tal, diagonal, and anti-diagonal) . An important assump- 
tion we make is that the output of j làsers firing simul- 
taneously with intensity fi (averaged over all j-tuples) is 
indistinguishable from the output of one làser firing with 
intensity j/i (averaged over polarizations) , because they 
are described by the same density matrix |l4| . 

Let e be a user-defined parameter for security. 

Let N be the number of clock cycles during the quan- 
tum transmission portion of a QKD session. 

During each clock cycle, Alice generates four random 
bits. Each bit is assigned to one of the four làsers, and 
each làser is fired (simultaneously) if its bit value is one. 

Let Nj be the number of signal pulses sent during the 
session with j làsers firing simultaneously. We thus ex- 
pect No « JVi w f , N 2 « M , N 3 w f , and 7V 4 « 

Bob records all positive detection results (meaning one 
or more detectors click) for the N clock cycles. He in- 
forms Alice (over an authenticated públic channel) which 
signals yielded positive detections, and then Alice telis 
Bob how many làsers were fired for each detected signal. 

Let Cj be the total number of positive detections 
recorded for the set of signals produced by j làsers firing 
simultaneously. 

Let y n be the true conditional transmission proba- 
bility of an n-photon pulse {i.e. the probability that 
Bob observes a click when Alice prepares an n-photon 
pulse). Note that yo is the detector noise rate (back- 
ground counts plus dark counts). 

Let Yj be the true conditional transmission probability 
of a pulse with strength fj,j (i.e. the probability that Bob 
observes a click when Alice fires j làsers simultaneously) . 

Then Yj = J2n=o ^r - ^™- Lo et al use jf~ as a 
maximum likelihood estimator for Yj , but we will instead 
consider confidence levels from finite sample statistics. 

Let Yj + and Y~ be upper and lower bounds on Yj 
at confidence level 1 — e, given that Bob observes Cj 
detections for Nj signals. The vàlues of Yp are calculated 

by solving (g)(^) Cí (l " Yf-) N *~ C * < c. 

Let K to be the number of variables we will constrain. 
For this example, we found K = 11 to be sufficient. 
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Decoy state protocol with dark count rate of 3 x 10" 6 T e = 10~ 7 , K = 11, and r) = 1 0" 1 
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Decoy stale protocol with dark count rate of 3 x 10" 6 , e = 10" 7 , K= 11, and t] = 10" 3 
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FIG. 1: (Color online) Rate of received single-photon 
signals versus mean photon number /i over a channel 
acting as a beamsplitter with transmission 77 = 1CP 1 



FIG. 3: (Color online) Rate of received single-photon 
signals versus mean photon number /1 over a channel 
acting as a beamsplitter with transmission 77 = 1CP 3 



Decoy state protocol with dark count rate of 3 x 10 , e = 10 , K= 11, and r) = 10 
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Decoy state protocol with dark count rate of 3 x 1 0" 6 , e = 1 0" 7 , K = 1 1 , and t) = 1 * 
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FIG. 2: (Color online) Rate of received single-photon 
signals versus mean photon number /i over a channel 
acting as a beamsplitter with transmission 77 = 10" 



FIG. 4: (Color online) Rate of received single-photon 
signals versus mean photon number /1 over a channel 
acting as a beamsplitter with transmission 77 = 10~ 4 



Now solve for the minimum value of y\ subject to < 
j/fe < 1 and the following set of inequalities: 

Y+>e-«£>M (4 ) 

fc=0 

(1-Yf) > e -»£(l-v k )&f- (5) 

These inequalities are a set of hyperplanes which define 
the faces of a convex polytope. 

Finally, to determine the single-photon bit error rate, 
let b n be the true BER of an n-photon pulse. For this 
protocol, only the N± signals prepared by Alice by firing 
exactly one làser have definite polarization. Therefore, 
we only have one signal strength \i\ = \x that can be 
used to measure the BER in this setup, so a conservative 



approach would be to let b n = for n > 2. This lcads 
to the constraint that < e _AI (~y + (ibiyi) < B+ , 
where Bf and B^ are upper and lower bounds with con- 
fidence 1 — e on the observed BER of the Ni signals. 

Numerical results. Figures ^ El El andQJplot the re- 

sults of simulations of the protocol just described, with 
observed transmission efhciency 77 ranging from 10" 1 
down to 10~ 4 . We chose security paramctcr e = 10~ 7 
and detector dark count (plus background count) rate 
t/o = 3 x 10~ 6 per clock cycle. This value of j/o is com- 
parable to the observed rate at nighttime for the 10-km 
free-space experiment with clock rate of 1 MHz 0] . 

The optimal mean photon numbers are found to be 
around 0.35, 0.45, and 0.52 for session size N — 10 5 /?7, 
N = 10 6 /t7, and N = 10 7 /t/, respectively. Asymptoti- 
cally, this protocol has optimal /i ~ 0.55, which can be 
compared to the asymptotic result of /1 ~ 0.5 calculated 
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Single-pholon rate comparison of conventional and decoy state methods 



decoy state method with N = 1 
conventional method 
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FIG. 5: (Color online) Rate comparison before error 
correction and privacy amplification of decoy state 
method (sòlid red line) versus conventional method 
(dashed blue line) of handling PNS attack. 



by Lo et al |9( with similar parameters. 

We require Nrj > 10 5 to have sufficient statistics for 
our confidence level of 1 — 10~ 7 . However, reducing e 
to, say, 10~ 14 has minor effects; the lower bounds of the 
single-photon rates are decreased for N = 10 5 /?? by less 
than 25% and for N = 10 6 /r] by less than 10%. 

Increasing the dark count (plus background count) rate 
by a factor of ten has negligible effects on the resulting 
lower bounds for the single-photon rate. We also exam- 
ined the impact of BER on the resulting secret key bit 
rate under this protocol. We found that, roughly speak- 
ing, a BER of 7% assuming optimal individual attacks 
li or a BER of 3% allowing general coherent attacks 
17| both resulted in halving the secret bit rate and shift- 
ing the optimal /x downwards by about a quarter. Most 
of this shift is due to the conservative estimation of the 
single-photon BER b\ by setting b n = for n > 2. 

Rate comparison. Conventionally [18| , the PNS attack 
is handled by choosing an appropriately small value for 
mean photon number fj,, so that even if all multi-photon 
pulses are transmitted perfectly (y n — 1 for n > 2), some 
single-photon pulses must still remain in the set of Bob's 
detections. Then, the guaranteed single-photon rate is 
close to R = fi(r] — /i/2), which is maximized when we 
choose [i = rj. In Fig. the dashed blue line corresponds 
to this rate as a function of r\. 

Suppose we implement the decoy state protocol for a 
session size of N = 10 9 pulses. The single-photon rate is 
given by R = (l/4)//ie _M ry, where / is the fraction of the 
lower bound to the upper bound in Figs. an d the 

optimal value of /x ranges from around 0.55 for rj = 0.1 
down to about 0.35 for rj — 0.0001. In Fig. [S] the sòlid 
red line corresponds to the rate with these vàlues. 

Conclusions. The decoy state method can be im- 
plemented with current technology, and it greatly en- 



hances the practical security of quantum key distribu- 
tion. In particular, photon number splitting attacks, 
where Eve has active control of the quantum channel, 
can be thwarted without drastically reducing the secret 
bit rate by preparing pulses at various intensities (such as 
by firing a variable number of làsers with fixed intensity). 
We have shown how to incorporate confidence levels from 
finite statistics into the decoy state method. Choosing 
the best distribution and intensities for the set of decoy 
and signal states is a huge optimization problem, which 
depends on such vàlues as channel loss, dark count and 
background count rates, and acceptable security param- 
eters. However, we have demonstrated that even with a 
few easily constructed decoy states, high rates of secure 
QKD can be established with high confidence. 
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